search

alpinelinux / docker-alpine

Official Alpine Linux Docker image. Win at minimalism!
MIT License
1.08k stars 262 forks source link

Freetype vulnerability / CVE-2022-27405, CVE-2022-27406 #253

Closed arunsai271 closed 2 years ago

arunsai271 commented 2 years ago

In alpine 3.15.4 version image, the max supported freetype version is 2.11, but in order to resolve the CVE-2022-27405, CVE-2022-27406 issues the alpine 3.15.4 version should support Freetype 2.12 version. We can see here at https://gitlab.alpinelinux.org/alpine/aports/-/issues/13777 that the same request to upgradation is taken care and changes are merged into master branch. kindly can you please let us know when these changes will be available as patch fix in 3.15.4 version docker image ?

mitchellmaler commented 2 years ago

Currently, freetype 2.12.1 is in the edge main repo. You can upgrade it by running this command apk upgrade freetype --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main

arunsai271 commented 2 years ago

@mitchellmaler Tried with the suggested command, but still it is pulling 2.11 version. Please help

Note: I cannot upgrade my alpine OS to Edge in Production, since we know Edge is like Beta version and not supposed to use in production.

OS Details:

/ # cat /etc/os-release NAME="Alpine Linux" ID=alpine VERSION_ID=3.15.4 PRETTY_NAME="Alpine Linux v3.15" HOME_URL="https://alpinelinux.org/" BUG_REPORT_URL="https://bugs.alpinelinux.org/" / #

upgradation:

/ # apk upgrade freetype --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main fetch http://dl-cdn.alpinelinux.org/alpine/edge/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz OK: 6 MiB in 14 packages

Details after upgrading:

/ # apk search | grep freetype freetype-2.11.1-r1 freetype-dev-2.11.1-r1 freetype-doc-2.11.1-r1 freetype-static-2.11.1-r1 / #

mitchellmaler commented 2 years ago

You most likely need to remove the old freetype version first apk del freetype && apk add --upgrade freetype --repository=http://dl-cdn.alpinelinux.org/alpine/edge/main

arunsai271 commented 2 years ago

@mitchellmaler Thank you, the command is working. But in the same way i tried to upgrade openjdk8-jre which internally use freetype. openjdk8-jre 8.302 uses freetype 2.11 so I want to upgrade to openjdk-jre 8.312 which use internally freetype 2.12. But in this case still openjdk-jre 8.312 is pulling freetype 2.11 version but i want it to pull freetype 2.12 version. Can you please suggest how to achieve it? Because still my vulnerability scanner tool is picking freetype 2,11 issue.

/ # apk update fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/main/x86_64/APKINDEX.tar.gz fetch https://dl-cdn.alpinelinux.org/alpine/v3.15/community/x86_64/APKINDEX.tar.gz v3.15.4-124-ga85ef407d0 [https://dl-cdn.alpinelinux.org/alpine/v3.15/main] v3.15.4-128-gcc1b3f7211 [https://dl-cdn.alpinelinux.org/alpine/v3.15/community] OK: 15857 distinct packages available

/ # apk del openjdk8-jre && apk add --upgrade openjdk8-jre --repository=http://dl-cdn.alpinelinux.org/alpine/edge/community OK: 6 MiB in 14 packages fetch http://dl-cdn.alpinelinux.org/alpine/edge/community/x86_64/APKINDEX.tar.gz (1/51) Upgrading libcrypto1.1 (1.1.1n-r0 -> 1.1.1o-r0) (2/51) Upgrading libssl1.1 (1.1.1n-r0 -> 1.1.1o-r0) (3/51) Upgrading zlib (1.2.12-r0 -> 1.2.12-r1) (4/51) Installing expat (2.4.7-r0) (5/51) Installing brotli-libs (1.0.9-r5) (6/51) Installing libbz2 (1.0.8-r1) (7/51) Installing libpng (1.6.37-r1) (8/51) Installing freetype (2.11.1-r1) (9/51) Installing libuuid (2.37.4-r0) (10/51) Installing fontconfig (2.13.1-r4) (11/51) Installing encodings (1.0.5-r0) (12/51) Installing libfontenc (1.1.4-r0) (13/51) Installing mkfontscale (1.2.1-r1) (14/51) Installing ttf-dejavu (2.37-r1) (15/51) Installing libxau (1.0.9-r0) (16/51) Installing libmd (1.0.3-r0) (17/51) Installing libbsd (0.11.3-r1) (18/51) Installing libxdmcp (1.1.3-r0) (19/51) Installing libxcb (1.14-r2) (20/51) Installing libx11 (1.7.2-r0) (21/51) Installing libxcomposite (0.4.5-r0) (22/51) Installing libxext (1.3.4-r0) (23/51) Installing libxi (1.8-r0) (24/51) Installing libxrender (0.9.10-r3) (25/51) Installing libxtst (1.2.3-r3) (26/51) Installing alsa-lib (1.2.5.1-r1) (27/51) Installing libgcc (10.3.1_git20211027-r0) (28/51) Installing giflib (5.2.1-r0) (29/51) Installing libjpeg-turbo (2.1.2-r0) (30/51) Installing libstdc++ (10.3.1_git20211027-r0) (31/51) Installing openjdk8-jre-lib (8.312.07-r0) (32/51) Installing java-common (0.5-r0) (33/51) Installing libffi (3.4.2-r1) (34/51) Installing p11-kit (0.24.0-r1) (35/51) Installing libtasn1 (4.18.0-r0) (36/51) Installing p11-kit-trust (0.24.0-r1) (37/51) Installing ca-certificates (20211220-r0) (38/51) Installing java-cacerts (1.0-r1) (39/51) Installing nspr (4.32-r0) (40/51) Installing sqlite-libs (3.36.0-r0) (41/51) Installing nss (3.78-r0) (42/51) Installing krb5-conf (1.0-r2) (43/51) Installing libcom_err (1.46.4-r0) (44/51) Installing keyutils-libs (1.6.3-r0) (45/51) Installing libverto (0.3.2-r0) (46/51) Installing krb5-libs (1.19.3-r0) (47/51) Installing lcms2 (2.12-r1) (48/51) Installing pcsc-lite-libs (1.9.4-r0) (49/51) Installing liblksctp (1.0.19-r0) (50/51) Installing openjdk8-jre-base (8.312.07-r0) (51/51) Installing openjdk8-jre (8.312.07-r0) Executing busybox-1.34.1-r5.trigger Executing fontconfig-2.13.1-r4.trigger Executing mkfontscale-1.2.1-r1.trigger Executing java-common-0.5-r0.trigger Executing ca-certificates-20211220-r0.trigger OK: 106 MiB in 62 packages

/ # apk search | grep freetype freetype-2.11.1-r1 freetype-dev-2.11.1-r1 freetype-doc-2.11.1-r1 freetype-static-2.11.1-r1 / #

arunsai271 commented 2 years ago

@mitchellmaler any update please on how to resolve?

Loqova commented 2 years ago

It seems to me that nginx:mainline-alpine currently Alpine Linux v3.15.4, is according to a Grype-scan still vulnerable to:

NAME      INSTALLED  FIXED-IN   TYPE  VULNERABILITY   SEVERITY
curl      7.80.0-r0  7.80.0-r1  apk   CVE-2022-22576  Unknown
curl      7.80.0-r0  7.80.0-r1  apk   CVE-2022-27775  Unknown
curl      7.80.0-r0  7.80.0-r1  apk   CVE-2022-27776  Unknown
curl      7.80.0-r0  7.80.0-r1  apk   CVE-2022-27774  Unknown
freetype  2.11.1-r0             apk   CVE-2022-27405  High
freetype  2.11.1-r0  2.11.1-r1  apk   CVE-2022-27404  Critical
freetype  2.11.1-r0             apk   CVE-2022-27406  High
libcurl   7.80.0-r0  7.80.0-r1  apk   CVE-2022-22576  Unknown
libcurl   7.80.0-r0  7.80.0-r1  apk   CVE-2022-27774  Unknown
libcurl   7.80.0-r0  7.80.0-r1  apk   CVE-2022-27775  Unknown
libcurl   7.80.0-r0  7.80.0-r1  apk   CVE-2022-27776  Unknown
libgd     2.3.2-r1              apk   CVE-2021-38115  Medium
libgd     2.3.2-r1              apk   CVE-2021-40812  Medium
libgd     2.3.2-r1              apk   CVE-2021-40145  High
libxml2   2.9.13-r0  2.9.14-r0  apk   CVE-2022-29824  Medium
xz-libs   5.2.5-r0   5.2.5-r1   apk   CVE-2022-1271   Unknown
arunsai271 commented 2 years ago

Hi @mitchellmaler /Team, any updates on the solution, please? sorry to bother but since it is a security-related concern, it is a priority for us. If we get a new alpine 3.15.5 version Image with all these fixes, it would solve all our problems with hassle-free.

atawfik-elsevier commented 2 years ago

Hi @mitchellmaler we're also having issues concerning this. Is there a plan to release a new version without the freetype vulnerability, or is docker-alpine no longer in support? Thanks!

Khazii commented 2 years ago

Hi all, we're also getting the same issue:

Total: 1 (CRITICAL: 1)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype | CVE-2022-27404   | CRITICAL | 2.11.1-r0         | 2.11.1-r1     | FreeType: Buffer Overflow             |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27404 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

Which is also blocking us from deploying.

ncopa commented 2 years ago

This is technically wrong place to report issues with freetype since alpine docker base image does not include freetype. https://gitlab.alpinelinux.org/alpine/aports/-/issues would be better.

That said, I backported fixes for CVE-2022-27405, CVE-2022-27406 in freetype-2.11.1-r2. see alpinelinux/aports@2cac7499017def246acff43ed3bec6e9e857c240

ncopa commented 2 years ago

Hi all, we're also getting the same issue:

Total: 1 (CRITICAL: 1)

+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| LIBRARY  | VULNERABILITY ID | SEVERITY | INSTALLED VERSION | FIXED VERSION |                 TITLE                 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+
| freetype | CVE-2022-27404   | CRITICAL | 2.11.1-r0         | 2.11.1-r1     | FreeType: Buffer Overflow             |
|          |                  |          |                   |               | -->avd.aquasec.com/nvd/cve-2022-27404 |
+----------+------------------+----------+-------------------+---------------+---------------------------------------+

Which is also blocking us from deploying.

The docker image that pulls in freetype needs to be rebuilt. I don't know which image that is in your case, but I know for sure its not the alpine base image.

ncopa commented 2 years ago

If we get a new alpine 3.15.5 version Image with all these fixes, it would solve all our problems with hassle-free.

alpine base image does not include freetype so it would not really solve anything. I cannot bump version number of the base package every time any package in any repository gets a security update. I do create new release when the bas image itself has vulnerable packages (openssl, apk-tools, zlib, busybox).

arunsai271 commented 2 years ago

@ncopa Thank you for updating, I will move to Debian OS images.

roshan989 commented 2 years ago

@ncopa Thanks for your mention. I checked, in my case it is comping from openjdk11 with almost 6 lib that is vulnerable and not fixed by updating jdk or upgrading java version. please correct me for any mistake and suggest any other OS image that will not download vul lib with openjdk11.

ncopa commented 2 years ago

@ncopa Thanks for your mention. I checked, in my case it is comping from openjdk11 with almost 6 lib that is vulnerable and not fixed by updating jdk or upgrading java version. please correct me for any mistake and suggest any other OS image that will not download vul lib with openjdk11.

Do you have the list of CVEs and/or packages that are vulnerable?

atawfik-elsevier commented 2 years ago

Security checks for new builds are passing now, thanks!

roshan989 commented 2 years ago

@ncopa RUN apk update && \ apk add openjdk11 && \ apk add --no-cache bash && \ apk add curl

RUN apk add --update oniguruma && \ apk add --update libx11

RUN apk add --update curl && rm -rf /var/cache/apk/* RUN apk add jq

freetype giflib ncurses-libs ncurses-terminfo-base lcms2